CVE-2022-29244
npm packing does not respect root-level ignore files in workspaces
In short
When using npm pack or publish in a workspace, npm ignores root-level .gitignore and .npmignore files, potentially including sensitive or unintended files in published packages. This could expose private files or credentials to the public npm registry.
Technical detail
CWE-200 information exposure vulnerability affecting npm v7.9.0+ and v7.13.0+ in workspace mode. The pack/publish commands fail to respect root-level ignore directives (.gitignore, .npmignore) when workspace flags are used, bypassing intended file exclusions. Attackers or compromised workflows could exploit this to publish sensitive files to npm registry.
Summary generated and translated by AI from the official description.
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
npm · npmWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/nodejs/node/pull/43210https://github.com/nodejs/node/releases/tag/v16.15.1https://github.com/nodejs/node/releases/tag/v17.9.1https://github.com/nodejs/node/releases/tag/v18.3.0https://github.com/npm/cli/releases/tag/v8.11.0https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52https://github.com/npm/cli/tree/latest/workspaces/libnpmpackhttps://github.com/npm/cli/tree/latest/workspaces/libnpmpublishhttps://github.com/npm/npm-packlisthttps://security.netapp.com/advisory/ntap-20220722-0007/